eIDAS 2 Certification for Signature Service Providers 2026

Why eIDAS 2 Certification Changes the Game for Service Providers

Since the entry into force of Regulation (EU) 2024/1183 of 11 April 2024 — commonly known as eIDAS 2 — trust service providers (TSP) operating in the European Union face a fundamentally reshaped regulatory framework. The revision of the original eIDAS regulation of 2014 does not merely extend the scope of recognised services: it significantly tightens accreditation conditions, introduces new levels of assurance and strengthens supervisory requirements for national oversight bodies. For any actor wishing to offer qualified electronic signature (QES) or advanced signature (AdES) services on the European market, understanding how to obtain eIDAS 2 certification for a signature service provider is no longer optional — it is a strategic imperative.

This article provides a comprehensive overview of the certification pathway: applicable legislation, technical standards to be observed, the role of conformity assessment bodies (CAB), realistic timelines and key operational considerations.

---

The New eIDAS 2 Regulatory Landscape: What Has Changed

From Regulation 910/2014 to Regulation 2024/1183: Major Developments

The original eIDAS regulation (No. 910/2014) laid the foundations for a single digital trust market in Europe. It defined three levels of signature — simple, advanced and qualified — and required qualified providers to appear on national trust service lists (TSL, Trust Service Lists). eIDAS 2 preserves this architecture but enriches it on several structural points:

• Extension of qualified services: qualified electronic archiving, electronic attestations of attributes (EAA), remote management of qualified signature creation devices (QSCD). These new services are now subject to the same accreditation procedure as qualified signature.
• The European Digital Identity Wallet (EUDIW): providers wishing to interact with the future digital identity wallet must demonstrate compliance with technical specifications published by the Commission (ARF — Architecture and Reference Framework, v1.4, 2024).
• Enhanced supervision: national supervisory authorities (in France, ANSSI) have enhanced powers of investigation and enforcement. Qualified TSPs may be subject to unannounced audits.
• Reduced notification deadlines: any significant security incident must be reported to the competent authority within 24 hours (compared to 72 hours in the previous version for certain incidents).

For a comprehensive overview of the regulation, Certyneo's eIDAS 2.0 guide offers a pedagogical summary of all these developments.

Levels of Assurance and Their Implications for Certification

The distinction between advanced and qualified electronic signature remains the pivot of the system. Only QES benefits from a legal presumption of integrity and imputability equivalent to handwritten signature (art. 25 of eIDAS 2 regulation). This presumption is directly conditional on provider certification.

| Level | Evidentiary Value | Provider Requirement | |---|---|---| | Simple (SES) | Limited | None | | Advanced (AdES) | Significant | Best practices + ETSI standards | | Qualified (QES) | Maximum (legal presumption) | eIDAS 2 certification mandatory |

---

The eIDAS 2 Certification Process Step by Step

Step 1 — Organisational and Technical Prerequisites

Before formally initiating the certification process, a provider must audit its maturity level across three axes:

1. Compliance with ETSI Standards The EN 319 series standards form the essential technical foundation. The main ones are:

• ETSI EN 319 401: general requirements for trust service providers
• ETSI EN 319 411-1 and 411-2: policies and requirements for certification authorities issuing certificates (PTC-QC profiles for qualified certifications)
• ETSI EN 319 421: policies and requirements for time stamping service providers
• ETSI EN 319 132: signature formats XAdES (XML), and the associated CAdES (CMS) and PAdES (PDF) series

Compliance with these standards is not optional for qualified providers: it is explicitly required by the European Commission implementing acts.

2. Information Systems Security QSCDs (qualified signature creation devices) must be certified according to Common Criteria (CC) EAL4+ or equivalent. For remote signature solutions — the dominant SaaS model — requirements also apply to HSM modules (Hardware Security Module) and cryptographic key management procedures (FIPS 140-2 level 3 minimum compliance).

3. Security Policy (PSSI) and Risk Management The certification file requires a formalised security policy, aligned with ISO/IEC 27001 (whose certification is strongly recommended and sometimes required by CABs) and incorporating NIS2 requirements for entities classified as "important" or "critical".

Step 2 — Selection and Engagement of a Conformity Assessment Body (CAB)

In France, CABs accredited by COFRAC (French Committee for Accreditation) to assess trust service providers are few in number. As an example, LSTI (Laboratoire de Sécurité des Technologies de l'Information) and Bureau Veritas Certification are among the referenced actors. At European level, each Member State publishes the list of its notified CABs.

The CAB's role is to conduct a conformity audit in two phases:

1. Document review (Phase 1): examination of policies, procedures, Certification Practice Statement (CPS) and technical evidence.
2. On-site audit (Phase 2): verification of operational controls, penetration testing, interviews with staff.

The total duration of a CAB audit generally ranges from 4 to 8 weeks depending on the candidate's prior maturity.

Step 3 — Instruction by the National Supervisory Authority

In France, it is ANSSI (National Agency for Information Systems Security) that processes applications for inscription on the national trust list (TSL FR). On the basis of the CAB audit report, ANSSI conducts its own analysis and may request additional information or corrective measures.

The regulatory instruction period is 3 months from receipt of a complete file (art. 17 of eIDAS 2 regulation). In practice, actual timelines are often longer if the initial file is incomplete.

Once registered on the national TSL, the provider is automatically listed in the EUTL (EU Trusted List), published by the European Commission, which gives it immediate cross-border recognition in all 27 Member States.

Step 4 — Maintenance of Qualification and Renewal

eIDAS 2 certification is not permanent. Qualified providers are subject to:

• Annual surveillance audit conducted by the CAB
• Full renewal audit every 24 months (a shortened cycle compared to previous practice)
• Unannounced audits possible at ANSSI's initiative

Any substantial infrastructure change (HSM replacement, PKI evolution, new qualified service) triggers a prior notification procedure and may require a partial audit.

---

Costs, Timelines and Risk Factors: What IT Directors Must Anticipate

Budget and Human Resources

The cost of a first eIDAS 2 certification is significant. Cost items include:

• CAB audit: between €40,000 and €120,000 depending on the scope's complexity
• Technical compliance implementation (HSM, PKI, CC-certified QSCDs): €80,000 to several hundred thousand euros for a proprietary infrastructure
• ISO 27001 certification (recommended as a prerequisite): €15,000 to €50,000 depending on size
• Legal advice fees and CPS drafting: €10,000 to €30,000
• Internal costs: mobilisation of a dedicated team (CISO, DPO, compliance manager) for 12 to 18 months

Cumulating all these items, a complete certification represents a global investment of approximately €200,000 to €500,000 for a mid-sized provider, excluding recurring maintenance costs.

Operational Risk Factors

The most frequent causes of failure or delay in certification procedures are:

1. Insufficiently detailed CPS: the Certification Practice Statement must document each control with a level of granularity that is often underestimated.
2. Gaps in key lifecycle management: revocation, archiving, destruction of private keys.
3. Insufficient incident governance: absence of SIEM, tested incident management procedures, runbooks.
4. Underestimation of NIS2: since October 2024, qualified TSPs are automatically classified as "important" entities under NIS2 directive, with additional risk management and reporting obligations.

For companies wishing to delegate these constraints to an already-certified provider rather than building their own infrastructure, the comparison of electronic signature solutions available on Certyneo helps to objectify this build-vs-buy choice.

---

eIDAS 2 and Electronic Signature in Business: Transition Issues

For business users — as opposed to providers — eIDAS 2 certification of their SaaS signature vendor is now an essential selection criterion. Including in tender requests a clause requiring registration on the national TSL has become standard practice in regulated sectors (finance, healthcare, real estate).

Electronic signature in business indeed requires clearly distinguishing use cases requiring QES — agreements with high stakes, powers of attorney, electronic notarial deeds — from those where AdES is sufficient. This mapping of uses directly determines the level of service contractually required from the provider.

Organisations migrating from an existing solution to an eIDAS 2-certified provider must also anticipate the portability of proof archives. The guide on migration from DocuSign or YouSign to Certyneo details best practices for preserving the evidentiary value of documents already signed during the transition.

Legal Framework Applicable to eIDAS 2 Certification

Foundational Texts

The certification of trust service providers rests on a dense regulatory framework that must be understood in its entirety:

Regulation (EU) 2024/1183 of 11 April 2024 (eIDAS 2): the reference text that repeals and replaces the corresponding provisions of Regulation 910/2014. It defines the conditions for obtaining and maintaining the status of qualified provider, national supervision obligations, and requirements for new services (EUDIW, EAA).

Regulation (EU) No. 910/2014 (eIDAS 1): still partially applicable for unchanged provisions; implementing and delegated acts adopted under this regulation remain in force until their formal revision.

French Civil Code, articles 1366 and 1367: article 1366 establishes the principle of equivalence of electronic signature to handwritten signature subject to reliability; article 1367 specifies that reliability is presumed unless proven otherwise when qualified signature is used. These national provisions are directly articulated with the legal presumption of art. 25 eIDAS 2.

Directive (EU) 2022/2555 (NIS2): transposed into French law by the Act of 15 October 2024, it automatically classifies trust service providers qualified as important entities. Obligations: notification to ANSSI within 72 hours for any significant incident, implementation of formalised cyber risk management, periodic security audit.

Regulation (EU) 2016/679 (GDPR): signature service providers process sensitive personal data (identity of signatories, audit logs). Compliance with principles of minimisation, storage limitation and integrity requires a specific impact assessment (DPIA). The legal basis for processing must be documented for each service.

Technical Standards with Regulatory Value

European Commission implementing acts (notably Implementing Decision (EU) 2015/1506 and its revisions) designate ETSI standards as presumptively compliant:

• ETSI EN 319 401: general TSP requirements
• ETSI EN 319 411-1 and 411-2: certification policies
• ETSI EN 319 421: qualified time stamping
• ETSI EN 319 132 / 122 / 102: AdES formats (XAdES, CAdES, PAdES, ASiC)
• ETSI TS 119 431: remote signature services

Legal Risks from Non-Compliance

Fraudulent or negligent use of qualified provider status exposes to administrative sanctions pronounced by ANSSI (suspension, removal from trust list) and criminal proceedings (art. 226-17 of the Penal Code for failure to secure personal data). On the civil side, questioning the evidentiary value of signatures issued during a period of non-compliance may engage the provider's contractual liability to its clients.

Use Case Scenarios: eIDAS 2 Certification in Practice

Scenario 1 — A Mid-Sized SaaS Editor Targeting QES Qualification

A company specialising in document dematerialisation, employing around one hundred staff and managing several million signature transactions annually for clients in the banking and insurance sectors, decides to seek eIDAS 2 qualification for its electronic signature service. Until then, the company offered advanced signature based on certificates (AdES), sufficient for the majority of its client contracts, but insufficient for deeds requiring maximum evidentiary value (SEPA mandates, notarised proof agreements).

Following a 3-month internal audit revealing around fifteen major gaps against ETSI EN 319 411-2 requirements, the company engages a 14-month compliance programme. The main workstreams concern replacement of existing HSMs with FIPS 140-2 level 3-certified modules, drafting a 180-page CPS, and obtaining ISO 27001 certification prior to CAB audit. Total investment reaches €340,000. Following the process, registration on the French TSL allows the company to access tender calls from which it was systematically excluded, representing an estimated commercial potential of 20% additional revenue.

Scenario 2 — A Hospital Group Integrating Qualified Signature for Medico-Legal Deeds

A hospital group of approximately 1,200 beds wishes to dematerialise its processes for informed consent, delegation of medical powers and clinical research contracts. These documents fall within the category of deeds for which QES is required or strongly recommended by HAS reference frameworks and the legal framework for health data (art. L. 1110-4 CSP).

Rather than certifying an internal infrastructure — an option deemed too costly and outside core business — the group opts for integration of a third-party provider already registered on the TSL. The IT department conducts a vendor compliance audit based on the ETSI EN 319 401 checklist and verifies actual presence on the EUTL before any contractualisation. The rollout, completed in 4 months, reduces by 65% the time to collect signatures on clinical research files and eliminates the legal risk associated with prior use of simple signatures for sensitive deeds.

Scenario 3 — A Law Firm Securing Private Deed Agreements

A mid-sized law firm managing approximately 400 merger and acquisition transactions and business sales annually, dealing with agreements often exceeding one million euros each, seeks to strengthen the signature of its complex private deeds. Any formal defect can engage the firm's professional liability.

After analysis, the IT team and senior partner agree on a minimum contractual requirement of QES issued by an eIDAS 2-certified provider for any deed valued above €100,000. The provider selection criterion mandatorily includes verification of registration on the national TSL and availability of a recent ETSI compliance certificate (less than 12 months old). This framework allows the firm to reduce by over 80% requests for expert verification of signature validity in subsequent disputes, according to feedback from comparable firms in the sector.

Conclusion

Obtaining eIDAS 2 certification as an electronic signature service provider is a demanding, costly and lengthy process — but essential for any actor wishing to offer maximum legal guarantees to clients on the European market. Between compliance with ETSI standards, CAB audit, ANSSI instruction and maintenance of qualification over time, the process mobilises substantial resources over 12 to 24 months.

For business users, the good news is that building this infrastructure in-house is unnecessary: choosing an already eIDAS 2-certified SaaS provider registered on the national trust list allows you to immediately benefit from the legal presumption attached to QES, without bearing certification costs.

Certyneo is a trusted provider certified for B2B companies that demand legal rigour and ease of use. Discover our pricing and start your free trial today.